Found a security issue? Please email
security@swiftswap.net before any public disclosure. We respond within 48 hours and pay rewards for verified vulnerabilities.
Our Security Commitment
SwiftSwap is built on a non-custodial architecture — user funds go wallet-to-wallet and are never held by our platform. This significantly reduces our attack surface. However, we continuously work to identify and fix vulnerabilities in our web application, API, and infrastructure.
Responsible Disclosure Policy
Please DO:
- Provide detailed reports with reproducible steps
- Report vulnerabilities privately to security@swiftswap.net
- Allow us reasonable time to fix the issue before public disclosure
- Only test on your own accounts or test environments we provide
- Include your preferred contact method and payment address for rewards
Please DO NOT:
- Access, modify, or delete data belonging to other users
- Disrupt our service or perform denial-of-service attacks
- Attempt social engineering attacks on our team
- Publicly disclose the vulnerability before we've had a chance to patch it
- Exploit a vulnerability beyond what's needed to demonstrate it
Bug Bounty Rewards
| Severity |
Description |
Reward |
| Critical |
Fund theft, authentication bypass, complete system compromise |
Up to $5,000 USDT |
| High |
Privilege escalation, significant data breach potential, payment fraud |
Up to $1,000 USDT |
| Medium |
Information disclosure, XSS with significant impact, rate limit bypass |
Up to $200 USDT |
| Low |
Minor information disclosure, low-impact vulnerabilities |
Up to $50 USDT |
In-Scope Assets
- Web application: swiftswap.net and all subdomains
- API: api.swiftswap.net
- Authentication systems
- Payment processing (premium subscriptions)
- Smart contracts (when deployed)
Out-of-Scope
- Third-party services and infrastructure we use
- Theoretical vulnerabilities without proof of concept
- Social engineering or phishing attacks
- Physical security attacks
- UI/UX bugs without security impact
- Rate limiting on non-sensitive endpoints
Disclosure Timeline
We commit to the following response times:
- Acknowledgment: Within 48 hours of report
- Initial assessment: Within 5 business days
- Fix for Critical issues: Within 30 days
- Fix for High/Medium: Within 90 days
- Public disclosure: Coordinated with reporter, after patch deployed
How to Submit a Report
Send your report to security@swiftswap.net
Please include:
- Type of vulnerability
- Affected component (URL, endpoint, function)
- Step-by-step reproduction instructions
- Potential impact assessment
- Your suggested fix (if any)
- Your wallet address for reward payment (USDT-TRC20 preferred)
For sensitive reports, you may encrypt your email using our PGP key (available on request).